Registration is now open for this year's LibreFest! Join us virtually the week of July 13.

6: Developing IG Policies and Frameworks

Last updated
Save as PDF

Page ID: 157204

\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)

\( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)

\( \newcommand{\dsum}{\displaystyle\sum\limits} \)

\( \newcommand{\dint}{\displaystyle\int\limits} \)

\( \newcommand{\dlim}{\displaystyle\lim\limits} \)

\( \newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\)

( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\)

\( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\)

\( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\)

\( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\)

\( \newcommand{\Span}{\mathrm{span}}\)

\( \newcommand{\id}{\mathrm{id}}\)

\( \newcommand{\Span}{\mathrm{span}}\)

\( \newcommand{\kernel}{\mathrm{null}\,}\)

\( \newcommand{\range}{\mathrm{range}\,}\)

\( \newcommand{\RealPart}{\mathrm{Re}}\)

\( \newcommand{\ImaginaryPart}{\mathrm{Im}}\)

\( \newcommand{\Argument}{\mathrm{Arg}}\)

\( \newcommand{\norm}[1]{\| #1 \|}\)

\( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\)

\( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\AA}{\unicode[.8,0]{x212B}}\)

\( \newcommand{\vectorA}[1]{\vec{#1}} % arrow\)

\( \newcommand{\vectorAt}[1]{\vec{\text{#1}}} % arrow\)

\( \newcommand{\vectorB}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)

\( \newcommand{\vectorC}[1]{\textbf{#1}} \)

\( \newcommand{\vectorD}[1]{\overrightarrow{#1}} \)

\( \newcommand{\vectorDt}[1]{\overrightarrow{\text{#1}}} \)

\( \newcommand{\vectE}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash{\mathbf {#1}}}} \)

\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)

\(\newcommand{\longvect}{\overrightarrow}\)

\( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)

\(\newcommand{\avec}{\mathbf a}\) \(\newcommand{\bvec}{\mathbf b}\) \(\newcommand{\cvec}{\mathbf c}\) \(\newcommand{\dvec}{\mathbf d}\) \(\newcommand{\dtil}{\widetilde{\mathbf d}}\) \(\newcommand{\evec}{\mathbf e}\) \(\newcommand{\fvec}{\mathbf f}\) \(\newcommand{\nvec}{\mathbf n}\) \(\newcommand{\pvec}{\mathbf p}\) \(\newcommand{\qvec}{\mathbf q}\) \(\newcommand{\svec}{\mathbf s}\) \(\newcommand{\tvec}{\mathbf t}\) \(\newcommand{\uvec}{\mathbf u}\) \(\newcommand{\vvec}{\mathbf v}\) \(\newcommand{\wvec}{\mathbf w}\) \(\newcommand{\xvec}{\mathbf x}\) \(\newcommand{\yvec}{\mathbf y}\) \(\newcommand{\zvec}{\mathbf z}\) \(\newcommand{\rvec}{\mathbf r}\) \(\newcommand{\mvec}{\mathbf m}\) \(\newcommand{\zerovec}{\mathbf 0}\) \(\newcommand{\onevec}{\mathbf 1}\) \(\newcommand{\real}{\mathbb R}\) \(\newcommand{\twovec}[2]{\left[\begin{array}{r}#1 \\ #2 \end{array}\right]}\) \(\newcommand{\ctwovec}[2]{\left[\begin{array}{c}#1 \\ #2 \end{array}\right]}\) \(\newcommand{\threevec}[3]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \end{array}\right]}\) \(\newcommand{\cthreevec}[3]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \end{array}\right]}\) \(\newcommand{\fourvec}[4]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \\ #4 \end{array}\right]}\) \(\newcommand{\cfourvec}[4]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \\ #4 \end{array}\right]}\) \(\newcommand{\fivevec}[5]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \\ #4 \\ #5 \\ \end{array}\right]}\) \(\newcommand{\cfivevec}[5]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \\ #4 \\ #5 \\ \end{array}\right]}\) \(\newcommand{\mattwo}[4]{\left[\begin{array}{rr}#1 \amp #2 \\ #3 \amp #4 \\ \end{array}\right]}\) \(\newcommand{\laspan}[1]{\text{Span}\{#1\}}\) \(\newcommand{\bcal}{\cal B}\) \(\newcommand{\ccal}{\cal C}\) \(\newcommand{\scal}{\cal S}\) \(\newcommand{\wcal}{\cal W}\) \(\newcommand{\ecal}{\cal E}\) \(\newcommand{\coords}[2]{\left\{#1\right\}_{#2}}\) \(\newcommand{\gray}[1]{\color{gray}{#1}}\) \(\newcommand{\lgray}[1]{\color{lightgray}{#1}}\) \(\newcommand{\rank}{\operatorname{rank}}\) \(\newcommand{\row}{\text{Row}}\) \(\newcommand{\col}{\text{Col}}\) \(\renewcommand{\row}{\text{Row}}\) \(\newcommand{\nul}{\text{Nul}}\) \(\newcommand{\var}{\text{Var}}\) \(\newcommand{\corr}{\text{corr}}\) \(\newcommand{\len}[1]{\left|#1\right|}\) \(\newcommand{\bbar}{\overline{\bvec}}\) \(\newcommand{\bhat}{\widehat{\bvec}}\) \(\newcommand{\bperp}{\bvec^\perp}\) \(\newcommand{\xhat}{\widehat{\xvec}}\) \(\newcommand{\vhat}{\widehat{\vvec}}\) \(\newcommand{\uhat}{\widehat{\uvec}}\) \(\newcommand{\what}{\widehat{\wvec}}\) \(\newcommand{\Sighat}{\widehat{\Sigma}}\) \(\newcommand{\lt}{<}\) \(\newcommand{\gt}{>}\) \(\newcommand{\amp}{&}\) \(\definecolor{fillinmathshade}{gray}{0.9}\)

Introduction

Information governance (IG) policies are the written rules that turn an organization’s intentions into consistent, repeatable behavior. A policy answers “what must be true” about information handling—who may access it, how it is labeled, where it may be stored, how long it is kept, and how it is disposed. Procedures and standards sit underneath policy: procedures explain how people perform tasks (for example, placing a legal hold), while standards specify implementation details (for example, encryption requirements or required metadata fields). Together, policies, standards, and procedures form an IG framework: a coherent set of rules that covers the information lifecycle and can be enforced through training, audits, and technology.

In 2026, policy work is more urgent, and more complex, because information moves faster and farther than it used to. Cloud collaboration platforms blur the line between “documents,” “messages,” and “records.” AI assistants turn internal content into summaries, drafts, and new outputs in seconds. Third parties (vendors, contractors, model providers, software plug-ins) increasingly touch sensitive data. Meanwhile, regulators and courts expect organizations to demonstrate control, not just good intentions. The EU Artificial Intelligence Act creates explicit requirements for high-risk AI systems, including risk management, data governance, documentation, logging, transparency, and human oversight, and it phases in obligations over time. In the United States, privacy enforcement has matured, with California’s privacy agency publishing and updating regulations and expanding attention to areas such as automated decisionmaking, audits, and risk assessments. Public companies also face formal disclosure expectations for cybersecurity risk management and incident reporting under SEC rules, reinforcing that governance must be documented and board-visible. [eur-lex.europa.eu], [artificial...enceact.eu] [Law & Regu...ncy (CPPA)] [sec.gov]

This chapter provides a practical guide to developing IG policies and frameworks. You will learn a step-by-step policy development process, review the most common IG policy types (including AI use and third-party data handling), and see templates and checklists you can adapt. You will also learn how to enforce policies through training, monitoring, audits, and automation—and how to keep policies current as laws and technology evolve.

The Policy Development Process

Good policies are not written in isolation. They are negotiated agreements about risk, value, and responsibility. A strong policy development process makes policies legitimate (approved by the right authorities), usable (clear enough to follow), and enforceable (connected to controls and consequences).

Step 1: Identify needs and triggers

Most policy projects start with a trigger. Common triggers include:

A new law or regulation (for example, updates to privacy rules or new AI obligations). [eur-lex.europa.eu], [Law & Regu...ncy (CPPA)]
A security incident, audit finding, or litigation event that reveals gaps.
A technology rollout (cloud migration, new collaboration platform, enterprise AI assistant).
Business expansion (new geography, acquisition, new product line).

Begin by writing a short “policy problem statement” that describes the risk or inefficiency you are trying to reduce and who is affected. Then confirm the scope: which business units, repositories, and data types are in scope now, and what will be addressed later.

Step 2: Map stakeholders and decision rights

Policies succeed when the right people help shape them. Identify stakeholders using a simple map:

Business owners (who rely on the information to do work)
Legal and compliance (who interpret laws, contracts, and litigation risk)
Privacy (who focuses on personal data rights and appropriate processing)
Security/IT (who can implement controls, logging, and monitoring)
Records/Information management (who manages retention, disposition, and defensibility)
Risk/Audit (who tests controls and reports findings)

Define decision rights early. For example: the IG steering committee approves enterprise-wide policy; business units may approve local procedures that do not conflict with enterprise policy; the CISO approves security standards. Documenting these rights reduces later conflict.

Step 3: Gather requirements and current-state evidence

Policy drafting should be grounded in evidence. Collect:

Applicable legal and regulatory requirements (privacy, sector rules, retention mandates). [Law & Regu...ncy (CPPA)], [sec.gov], [hhs.gov]
Contracts and third-party obligations (data processing terms, confidentiality clauses).
Current workflows and pain points (where people struggle, where they bypass controls).
Existing policies that overlap (acceptable use, incident response, vendor management).

A practical technique is to run short interviews or workshops around real scenarios: “A staff member wants to paste customer data into an AI tool; what should happen?” “A team wants to keep chat messages forever; should they?” These scenarios reveal where policy needs to be precise.

Step 4: Draft in plain language and structure for usability

Students often imagine policies as long legal documents. In reality, the best policies are concise, structured, and written for the people who must follow them.

Use a consistent structure:

Purpose (why the policy exists)
Scope (who and what it applies to)
Definitions (only what readers truly need)
Policy statements (the rules: “must,” “must not,” “may”)
Roles and responsibilities (who does what)
Exceptions (how to request, approve, and log exceptions)
Enforcement (consequences, monitoring, audits)
References (related standards, procedures, laws)

Write rules as testable statements. “Employees should be careful” is not testable. “Do not store Restricted data in personal cloud accounts” is testable.

Step 5: Review for feasibility, risk, and conflicts

Policy review is where many drafts fail. A policy may be legally sound but impossible to follow. Review the draft with:

IT/Security for technical feasibility (can we enforce this in systems?)
Business teams for workflow impact (does this block core work?)
Legal/Privacy for compliance and defensibility (does it meet obligations?)
Audit/Risk for measurability (can we test compliance?)

Resolve conflicts explicitly. If a policy requires encryption everywhere but a legacy system cannot encrypt, decide whether to migrate, isolate, or create a time-bound exception.

Step 6: Approve through a formal governance path

Approval should match policy impact. A department procedure may be approved by a director, but enterprise policy should be approved by an executive sponsor or steering committee. ARMA emphasizes accountability: a senior executive should oversee the recordkeeping program and ensure auditability. Formal approval creates legitimacy and signals that the policy is not optional. [armavi.org], [arma.org]

Step 7: Communicate, train, and operationalize

A policy that is not communicated is not real. Plan for:

A launch message from leadership explaining “why now.”
Role-based training (different content for employees, managers, IT admins, and developers).
Job aids: quick reference guides, decision trees, and examples.
Tool changes: labels, default settings, templates, automated prompts.

Step 8: Maintain and improve (policy lifecycle management)

Policies must stay current. Establish:

A review cycle (often annually; faster for AI and security topics).
Change triggers (new law, new platform, major incident).
Version control and an accessible policy library.
Metrics and audit results feeding into revisions.

NIST’s AI RMF Playbook emphasizes that governance is ongoing and should be adapted to context rather than treated as a one-time checklist. That same mindset applies to IG policies. [airc.nist.gov], [digitalgov...enthub.org]

Four Pies

Search

Text Color

Text Size

Margin Size

Font Type